jro_apps/redmine Commit - r3056:9a452a5c351f

Make sure user can not watch what he is not allowed to view....

Jean-Philippe Lang -

r3056:9a452a5c351f

parent child

Context file:

r3056:9a452a5c351f

app/controllers/watchers_controller.rb +4 0

                      :render => { :nothing => true, :status => :method_not_allowed }
               def watch
+                if @watched.respond_to?(:visible?) && !@watched.visible?(User.current)
+                  render_403
+                else
                   set_watcher(User.current, true)
                 end
+              end
               def unwatch
                 set_watcher(User.current, false)

test/functional/watchers_controller_test.rb +9 0

@@ -48,6 +48,15 class WatchersControllerTest < ActionController::TestCase
48	assert Issue.find(1).watched_by?(User.find(3))	48	assert Issue.find(1).watched_by?(User.find(3))
49	end	49	end
50		50
		51	def test_watch_should_be_denied_without_permission
		52	Role.find(2).remove_permission! :view_issues
		53	@request.session[:user_id] = 3
		54	assert_no_difference('Watcher.count') do
		55	xhr :post, :watch, :object_type => 'issue', :object_id => '1'
		56	assert_response 403
		57	end
		58	end
		59
51	def test_watch_with_multiple_replacements	60	def test_watch_with_multiple_replacements
52	@request.session[:user_id] = 3	61	@request.session[:user_id] = 3
53	assert_difference('Watcher.count') do	62	assert_difference('Watcher.count') do

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages